/alcasar.sh |
---|
2,6 → 2,9 |
# $Id$ |
# alcasar.sh |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
# This script is distributed under the Gnu General Public License (GPL) |
# team@alcasar.net |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
# Ce programme est un logiciel libre ; This software is free and open source |
10,15 → 13,11 |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
# Voir la Licence Publique Générale GNU pour plus de détails. |
# team@alcasar.net |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Options : |
29,13 → 28,13 |
# testing : connectivity tests, free space test and mageia version test |
# init : Installation of RPM and scripts |
# network : Network parameters |
# ACC : ALCASAR Control Center installation |
# CA : Certification Authority initialization |
# ACC : ALCASAR Control Center installation |
# CA : Certification Authority initialization |
# time_server : NTPd configuration |
# init_db : Initilization of radius database managed with MariaDB |
# freeradius : FreeRadius initialisation |
# chilli : coovachilli initialisation (+authentication page) |
# dansguardian : DansGuardian filtering HTTP proxy configuration |
# dansguardian : DansGuardian filtering HTTP proxy configuration |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
42,14 → 41,15 |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
# msec : Mandriva security package configuration |
# letsencrypt : Let's Encrypt client |
# post_install : Security, log rotation, etc. |
# post_install : Security, log rotation, etc. |
DEBUG_ALCASAR=off; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
DATE=`date '+%d %B %Y - %Hh%M'` |
DATE_SHORT=`date '+%d/%m/%Y'` |
Lang=`echo $LANG|cut -c 1-2` |
2345,6 → 2345,11 |
$DIR_SCRIPTS/alcasar-uninstall.sh -full |
fi |
fi |
if [ $DEBUG_ALCASAR == "on" ] |
then |
echo "*** 'debug' : end of cleaning ***" |
read a |
fi |
# Test if manual update |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
then |
2386,7 → 2391,11 |
for func in init network ACC CA time_server init_db freeradius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
# echo "*** 'debug' : end of function $func ***"; read a |
if [ $DEBUG_ALCASAR == "on" ] |
then |
echo "*** 'debug' : end of install '$func' ***" |
read a |
fi |
done |
;; |
-u | --uninstall) |
/conf/sudoers |
---|
28,6 → 28,7 |
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates |
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups |
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC |
Cmnd_Alias LDAP=/usr/local/bin/alcasar-ldap.sh # to enable/disable LDAP connection |
# Defaults specification |
# Defaults syslog=auth |
47,5 → 48,5 |
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom |
# %users localhost=/sbin/shutdown -h now |
ADMWEB LAN_ORG=(root) NOPASSWD: NET,SYSTEM_BACKUP,SQL,BL,NF,EXPORT,RADDB,LOGOUT,UAM,SERVICE,GAMMU,SSL,HTDIGEST,LOG_GEN |
ADMWEB LAN_ORG=(root) NOPASSWD: NET,SYSTEM_BACKUP,SQL,BL,NF,EXPORT,RADDB,LOGOUT,UAM,SERVICE,GAMMU,SSL,HTDIGEST,LOG_GEN,LDAP |
ADMIN LAN_ORG=(root) NOPASSWD: NET,URPMI,BYPASS,SYSTEM_BACKUP,SQL,EXPORT,SERVICE,SSL |
/scripts/alcasar-ldap.sh |
---|
8,10 → 8,7 |
# enable / disable authentication of users via an extern LDAP server |
# TODO |
# - modif files "site-enabled/alcasar" + "mods-available/ldap" |
# - add / remove "ln -s mods-available/ldap mods-enabled/ldap" |
# - /usr/local/bin/alcasar-iptables.sh"); |
# - /usr/bin/systemctl restart radiusd"); |
# - modif files "site-enabled/alcasar" |
# Modif "sites-enabled/alcasar" |
# Configure autorize section with: |
23,26 → 20,16 |
# ldap |
# } |
# Modif "mods-available/ldap" |
# host = $ldap_server; |
# identity = $ldap_user; |
# password = $ldap_password; |
# basedn = $ldap_base_dn; |
# filter = $ldap_filter; |
# uid = $ldap_filter; |
# base_filter = $ldap_base_filter; |
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off}" |
SED="/bin/sed -i" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar" |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` |
LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2` |
LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2` |
LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2` |
LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2` |
LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2` |
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # IP address of the LDAP server |
LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2-` # Where to find the users (cn=**,dc=**,dc=**) |
LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2` # 'samaccuntname' for A.D. - 'UID' for LDAP |
LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2` # Filter to limit users search (not used for now) |
LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2` # User name enable to list the directory |
LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2` # |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
57,17 → 44,22 |
;; |
--on | -on) |
$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE |
$SED "s/^server =.*/server = ldap://$LDAP_SERVER/g" $LDAP_MODULE |
$SED "s/^identity =.*/identity = $LDAP_UID/g" $LDAP_MODULE |
$SED "s/^server =.*/server = ldap:\/\/$LDAP_SERVER/g" $LDAP_MODULE |
$SED "s/^identity =.*/identity = $LDAP_USER/g" $LDAP_MODULE |
$SED "s/^password =.*/password = $LDAP_PASSWORD/g" $LDAP_MODULE |
$SED "s/^base_dn =.*/base_dn = $LDAP_BASE/g" $LDAP_MODULE |
$SED "s/^filter =.*/filter = ($LDAP_UID=%{%{Stripped-User-Name}:-%{User-Name}})/g" $LDAP_MODULE |
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap |
if [ ! -e /etc/raddb/mods-enabled/ldap ] |
then |
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap |
fi |
/usr/local/bin/alcasar-iptables.sh |
/usr/bin/systemctl restart radiusd.service |
;; |
--off | -off) |
$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE |
rm -f /etc/raddb/mods-enabled/ldap |
/usr/local/bin/alcasar-iptables.sh |
/usr/bin/systemctl restart radiusd.service |
;; |
*) |
/scripts/alcasar-uninstall.sh |
---|
70,7 → 70,7 |
[ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "5, " |
[ -e /etc/raddb/mods-enabled/ldap ] && rm /etc/raddb/mods-enabled/ldap && echo -n "6, " #Add here other mods |
[ -e /etc/raddb/mods-enabled/sql ] && rm /etc/raddb/mods-enabled/sql && echo -n "6bis, " #Add here other mods |
[ -e /etc/raddb/mods-available/ldap-alcasar ] && rm /etc/raddb/mods-available/alcasar-ldap && echo -n "7, " |
[ -e /etc/raddb/mods-available/ldap-alcasar ] && rm /etc/raddb/mods-available/ldap-alcasar && echo -n "7, " |
[ -e /etc/raddb/mods-available/sql.default ] && mv /etc/raddb/mods-available/sql.default /etc/raddb/mods-available/sql && echo -n "8, " |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] && mv /etc/raddb/mods-config/sql/main/mysql/queries.conf.default /etc/raddb/mods-config/sql/main/mysql/queries.conf && echo -n "9, " |
[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf && echo -n "10, " |
315,9 → 315,12 |
echo -en "\n- $func " |
$func |
sleep 1 |
# echo -en " *** 'debug' : end of function $func - Hit enter ***"; read a |
if [ $DEBUG_ALCASAR == "on" ] |
then |
echo -n " *** 'debug' : end of cleaning '$func' *** " |
read a |
fi |
done |
if [ $mode == "full" ] |
then |
echo -en "\n- network(9) : " |